Fact Sheet
Certificate Security

Also known as a "public key certificate," a security certificate is one form of digital certification which provides confirmation that a given entity on the Internet is associated with a specific public key. An entity can be an individual or corporation, or it can be an electronic or computer artifact, such as a server or domain.

A Public Key is a cryptographic tool which bears a unique identity and, when processed by a key generation function, confirms the Private Key (unique identity) of an entity. A famous analogy for public key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public and its location is the public key. Anyone knowing the street address can go to the door and deliver an envelope. However, only the person who possesses the key can open the mailbox and read the message.

Typically, web users see certificates in the context of "secure" websites – one which use the HTTPS protocol. If a website is published in https, a browser will validate that the server which is hosting the site is the entity which corresponds to the presented certificate. In this manner, a user can feel a reasonable measure of confidence that a particular website is what it presents itself to be. This kind of security is used for websites which transfer any sort of secure information over the public Internet, ranging from credit card information to patient records to library subscription data.

Someone – an entity – who wants to transfer secure information can purchase a security certificate from an issuer (such as Verisign). Once sufficient proof of identity has been confirmed (in the form of evidence such as birth certificates, tax documentation, or government-issued identification), a unique certificate is generated. When users attempt to verify the authenticity of web content, their browser will compare its recorded keys against the certificate and, if necessary, contact the issuer electronically in order to confirm identity.